Portable OpenSSH

A remote attacker is reported to be able to identify valid user IDs of
users of systems running Portable OpenSSH with PAM enabled. This
vulnerability is caused by Portable OpenSSH having a delay when an
attempt to log in using a valid user ID and an invalid password and
having little or no delay when making an attempt to log in using an
invalid user ID. This problem is reported to affect Debian GNU/Linux,
Red Hat Linux, and Mandrake Linux; it may also affect SuSE Linux,
Caldera/SCO Linux, Apple OS-X, and other Linux distributions that use
OpenSSH_3.6.1p1 or earlier with PAM support compiled in (--with-pam).
A proof-of-concept application has been developed that exploits this
vulnerability has been released to the public.

Portable OpenSSH Under AIX

It has been reported that versions of Portable OpenSSH prior to
3.6.1p2, when compiled under AIX with GCC or other non-IBM
compilers, will first look for its shared libraries in its current
working directory. The runtime linker under AIX has a flaw in that by
default, it will link applications so that they will look for shared
(dynamic) libraries in the current directory. Versions of Portable
OpenSSH prior to version 3.6.1p2 have code to work around the flaw in
the linker, but only if the IBM compiler is selected.

Portable OpenSSH 3.6.1p2 uses the proper compiler flags to work around
this problem. One possible work around is to remove the set-user-ID
bits from all SSH applications. Removing set-user-ID bits will also
remove some functionality from SSH.

ATM on Linux

The experimental code that supports ATM under Linux has a bug that can
be exploited by a local attacker to execute arbitrary code with root
permissions. Code to automate the exploitation of this bug has been
released to the public.

Qpopper v4.0.x poppassd

poppassd is a daemon provided with Qpopper that provides
remote users the ability to change their passwords. A flaw in
poppassd is reported to be exploitable by a local user to gain root
permissions.

It is recommended that the set-user-ID bit be removed from poppassd
until it has been repaired.

Monkey HTTPd

The Monkey web server is vulnerable to a buffer overflow in the code
that handles POST requests. This buffer overflow may be exploitable
by remote attackers to execute arbitrary code as the user that is
running the web server. Monkey HTTPd v0.6.1 is reported to be
vulnerable.

It is recommended that users upgrade to Monkey HTTPd version 0.6.2 as
soon as possible. Users that are unable to upgrade Monkey HTTPd
immediately should consider disabling it until it is upgraded.

Red Hat mod_auth_any

Red Hat has released new mod_auth_any packages for Red Hat Linux 7.2
and 7.3. mod_auth_any is an Apache module that Apache uses to call
external applications to verify user passwords. The new mod_auth_any
package repairs a problem that could be used by a remote attacker to
execute shell commands with the permissions of the user running the
web server. In addition, the current version of mod_auth_any is reported
to not differentiate between a non-response due to a crash of the
called application and a success.

Red Hat recommends that affected users upgrade to the proper errata
package as soon as possible.

pptpd

pptpd, a Virtual Private Networking (VPN) Server, has a buffer
overflow that can be exploited by a remote attacker to execute
arbitrary code as root. It is reported that an automated script to
exploit this buffer overflow has been made available.

Users should watch their vendor for updated packages that fix the
buffer overflow. Packages for Debian GNU/Linux have been released.

EPIC4

EPIC4 (the Enhanced Programmable IRCII Client), a client for Internet
Relay Chat, is vulnerable to buffer overflows that can be exploited by
a remote server to which the client has connected. The buffer
overflows are exploitable as a denial-of-service attack and, under some
conditions, may be used to execute arbitrary code on the local machine
with the permissions of the user running the client.

Users should watch their vendor for an update to EPIC4 that repairs
the buffer overflows and should be careful about to which IRC servers
they connect.

HPUX rexec

The rexec command under HPUX B.10.20 has been reported to have a
buffer overflow in the code that handles the "-l" command line option.

Users should watch HP for a Security Bulletin and a patch for this
problem. Users should consider disabling recex until it has been
patched.

Cisco Vulnerabilities

Cisco has announced denial-of-service vulnerabilities in the FTP or
Telnet services of certain Cisco equipment. These vulnerabilities
were found using the Nessus security scanner. Affected equipment
includes: "Cisco ONS15454 Optical Transport Platform, the Cisco
ONS15327 Edge Optical Transport Platform, the Cisco ONS15454SDH
Multiplexer Platform, and the Cisco ONS15600 Multiservice Switching
Platform." The recommended configuration, where the control cards for
these machines are connected to a private network that is not
connected to the Internet, will prevent the exploitation of these
vulnerabilities by outside attackers.

Cisco has released upgraded software fixes for these problems and
recommends that affected users upgrade as soon as possible.